PatchSiren cyber security CVE debrief
CVE-2026-9402 Edimax CVE debrief
A command injection vulnerability exists in the Edimax BR-6675nD router firmware version 1.12. The vulnerability is located in the formWlanMP function within the /goform/formWlanMP endpoint, which handles POST requests. Multiple parameters—including ateFunc, ateGain, ateRate, ateChan, ateTxCount, various e2pTxPower parameters, ateTxFreqOffset, ateMode, ateMacID, ateBW, ateAntenna, e2pTxFreqOffset, e2pTxPwDelta variants, readE2P, and others—are susceptible to command injection manipulation. The attack vector is network-based and can be exploited remotely. The vulnerability has been publicly disclosed with exploit availability, and the vendor was contacted prior to disclosure but did not respond. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, no user interaction, with low impacts to confidentiality, integrity, and availability. The weakness classifications are CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command).
- Vendor
- Edimax
- Product
- BR-6675nD
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Edimax BR-6675nD deployments; security teams responsible for SOHO and small business network infrastructure; organizations with remote management exposure of edge networking equipment
Technical summary
The Edimax BR-6675nD firmware 1.12 contains a command injection vulnerability in its wireless configuration handler. The formWlanMP function processes POST requests to /goform/formWlanMP without adequate input sanitization across approximately 25 distinct parameters related to ATE (Automatic Test Equipment) functions and EEPROM power settings. An attacker with network access to the administrative interface can inject arbitrary shell commands through these parameters. The vulnerability is remotely exploitable without authentication requirements per CVSS 4.0 scoring. The extensive parameter surface increases the likelihood of successful exploitation through alternative vectors if individual parameters are patched incompletely.
Defensive priority
medium
Recommended defensive actions
- Restrict network access to the router's administrative interface to trusted management networks only
- Implement network segmentation to isolate affected router management interfaces from untrusted networks
- Monitor for anomalous POST requests to /goform/formWlanMP containing shell metacharacters or command injection patterns
- Consider replacing affected hardware if vendor patch is not forthcoming given vendor non-responsiveness
- Review logs for historical exploitation attempts targeting the identified parameter set
Evidence notes
Vulnerability confirmed through VulDB CNA submission and Notion-hosted technical documentation. CVSS 4.0 scoring applied. No CISA KEV listing at time of analysis.
Official resources
Public disclosure with exploit availability; vendor non-responsive